diff options
| author | beck <> | 2020-09-20 18:22:31 +0000 |
|---|---|---|
| committer | beck <> | 2020-09-20 18:22:31 +0000 |
| commit | ac446f804f10dfa09dd8c5e483ded6d2ac7cdeb7 (patch) | |
| tree | 65b2ab0fb8a04dc2a61f3bcb20de1562d09812d8 /src | |
| parent | 0a7afeae06c69c09fad3e24ba5446736b204958d (diff) | |
| download | openbsd-ac446f804f10dfa09dd8c5e483ded6d2ac7cdeb7.tar.gz openbsd-ac446f804f10dfa09dd8c5e483ded6d2ac7cdeb7.tar.bz2 openbsd-ac446f804f10dfa09dd8c5e483ded6d2ac7cdeb7.zip | |
Correct a 1 byte read overflow in x509_contraints_uri and add
regress to catch it in the future.
found by Guido Vranken's cryptofuzzer
ok tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 13 | ||||
| -rw-r--r-- | src/regress/lib/libcrypto/x509/constraints.c | 4 |
2 files changed, 13 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 5abea52e59..8fafadfcdf 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.5 2020/09/20 03:19:52 tb Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.6 2020/09/20 18:22:31 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -438,7 +438,7 @@ x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len) | |||
| 438 | * the caller must free, or or NULL if it could not be found or is | 438 | * the caller must free, or or NULL if it could not be found or is |
| 439 | * invalid. | 439 | * invalid. |
| 440 | * | 440 | * |
| 441 | * rfc 3986: | 441 | * RFC 3986: |
| 442 | * the authority part of a uri starts with // and is terminated with | 442 | * the authority part of a uri starts with // and is terminated with |
| 443 | * the next '/', '?', '#' or end of the URI. | 443 | * the next '/', '?', '#' or end of the URI. |
| 444 | * | 444 | * |
| @@ -454,7 +454,12 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char**hostpart) | |||
| 454 | uint8_t *authority = NULL; | 454 | uint8_t *authority = NULL; |
| 455 | char *host = NULL; | 455 | char *host = NULL; |
| 456 | 456 | ||
| 457 | /* find first // */ | 457 | /* |
| 458 | * Find first '//'. there must be at least a '//' and | ||
| 459 | * something else. | ||
| 460 | */ | ||
| 461 | if (len < 3) | ||
| 462 | return 0; | ||
| 458 | for (i = 0; i < len - 1; i++) { | 463 | for (i = 0; i < len - 1; i++) { |
| 459 | if (!isascii(uri[i])) | 464 | if (!isascii(uri[i])) |
| 460 | return 0; | 465 | return 0; |
| @@ -557,7 +562,7 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, | |||
| 557 | size_t len, int *error) | 562 | size_t len, int *error) |
| 558 | { | 563 | { |
| 559 | int ret = 0; | 564 | int ret = 0; |
| 560 | char *hostpart; | 565 | char *hostpart = NULL; |
| 561 | 566 | ||
| 562 | if (!x509_constraints_uri_host(uri, ulen, &hostpart)) { | 567 | if (!x509_constraints_uri_host(uri, ulen, &hostpart)) { |
| 563 | *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; | 568 | *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; |
diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c index 86ed8faf14..6e76f08113 100644 --- a/src/regress/lib/libcrypto/x509/constraints.c +++ b/src/regress/lib/libcrypto/x509/constraints.c | |||
| @@ -152,6 +152,10 @@ unsigned char *invaliduri[] = { | |||
| 152 | "https://.www.openbsd.org/", | 152 | "https://.www.openbsd.org/", |
| 153 | "https://www.ope|nbsd.org%", | 153 | "https://www.ope|nbsd.org%", |
| 154 | "https://www.openbsd.org.#", | 154 | "https://www.openbsd.org.#", |
| 155 | "///", | ||
| 156 | "//", | ||
| 157 | "/", | ||
| 158 | "", | ||
| 155 | NULL, | 159 | NULL, |
| 156 | }; | 160 | }; |
| 157 | 161 | ||